DDoS: Ellie Mae Hit with Timely Attack

News of a distributed-denial-of-service attackagainst Ellie Mae, which provides core operating systems and other technologies to mortgage originators, came the same week as banking regulators issued a reminder about mitigating the risks associated with such attacks.

Ellie Mae, which has approximately 1,500 clients, confirms it suffered a DDoS attack from March 31 to April 1 that caused sporadic website outages. It described the incident as "a well-formed Web service request from a wide distribution of sources." The company says there's no evidence of any data breach tied to the attack, and that client data and personal borrower data remained secure.

On April 2, the Federal Financial Institutions Examination Council issued statements notifying financial institutions of risks linked to continued DDoS attacks as well as ATM cash-out schemes. In that statement, banking regulators outlined steps institutions are expected to take to mitigate their risks.

Security experts say the news about the attack against Ellie Mae and the notices from the FFIEC point to the need for financial institutions to take a hard look at the risks they face, as well assess their vendor partners' risks.

Commenting on the FFIEC notice, Rodney Joffe, senior vice president and technologist for DDoS mitigation provide Neustar, says: "I can't remember a time when a federal regulator or regulatory body has actually come out with a statement around cybersecurity like this with very, very clear directions,"

DDoS attacks against banking institutions garnered attention in September 2012, when the self-proclaimed hacktivist group known as Izz ad-Din al-Qassam Cyber Fighters began its first phase of attacks against leading U.S. banks. Those attacks continued through the summer of 2013.

While strikes against banking institutions have subsided, the fact that the FFIEC has issued this guidance suggests the threats posed by DDoS are ongoing, Joffe says.

"[Banking institutions] need to go through the recommendations that are provided by the FFIEC," he says. "Banks now need to start looking at those best practices and see how close they come to fulfilling them already."

The statement from regulators also stresses that banking institutions, especially smaller ones, need to consider hiring third parties to help them manage their DDoS mitigation strategies, notes Mike Smith, a security evangelist at online security firm Akamai Technologies.

"What we've seen during the DDoS attacks against financial services over the past couple of years is that the organizations that will survive the best are the ones that have processes, pre-determined risk assessments, and decision criteria for allowing mitigation providers to inspect SSL [secure-sockets-layer] traffic," Smith says.

Ellie Mae Incident

A spokesman for Ellie Mae notes the company uses including Juniper firewalls; real-time monitoring provided through Zenoss, Splunk, Balance and Vsphere; and a staffed 24x7 network monitoring system. However, these systems rely on detecting patterns that were not present in the attacks that took the company's website offline.

"Ellie Mae has engaged a third-party security/threat management firm to aid us in evaluating the data we already have as well as adjusting configuration settings to increase potential detection," the spokesman says.

Overall Security

The Office of the Comptroller of the Currency said in a corresponding statement about DDoS attacks that the FFIEC expects banks to address DDoS readiness as part of their ongoing information security and incident response plans.

Specifically, the OCC notes that banking institutions are expected to monitor incoming traffic to their public websites; activate incident response plans if they suspect a DDoS attack is occurring; and ensure sufficient staffing for the duration of the attack, including the use of previously contracted third-party services.

The OCC also notes that community banks should ensure that their in-house information technology units or service providers are taking appropriate action to mitigate DDoS risks.

The National Credit Union Administration, in a statement provided to Information Security Media Group, says that while DDoS attacks against credit unions have been relatively uncommon, they are, nevertheless, concerning.

"Because this type of attack occurs so infrequently, there is not enough data available to suggest a trend," a spokesman for the agency says. "However, these are serious types of attacks with the potential to inflict significant damage, so it is important for the industry and for the NCUA to remain vigilant."

About the Author

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;